Today Active Directory Security is mission-critical to organizational security worldwide and thus mission-critical to Cyber Security worldwide. On this blog, former Microsoft Program Manager for Active Directory Security, and today, CEO of Paramount Defenses, shares valuable technical insights on Active Directory Security.

Tuesday, January 3, 2017

A Simple Active Directory Group Membership Audit/Reporting Tool


Hope the New Year's off to a great start. As I had indicated a few days ago, starting January 26th I'll be sharing some valuable insights on Active Directory Security; until then just wanted to get some very basic stuff out of the way, this one being the 2nd.

Active Directory Group Membership Audit

For most organizations that operate on Microsoft's Active Directory, the need to be able to easily audit Active Directory group memberships is a basic cyber security need because virtually all IT resources in a Microsoft Windows network are secured and protected by Active Directory security groups. A few examples of such basic Active Directory group membership audits include -

  1. Exactly who is a member of a specific Active Directory domain security group, directly or indirectly?
  2. Exactly which security groups, if any, are nested within a specific Active Directory domain security group?
  3. Exactly which Active Directory domain security groups is a specific user a member of ?

Now, let me be the first to tell you that it is equally and perhaps far more important to also know exactly who can control/change the membership of every Active Directory domain security group, and today we can uniquely help organizations do so as well.

To fulfill these simple needs, IT admins around the world attempt various means, such as writing in-house LDAP/ PowerShell scripts, using free MS tools like LDP etc., or relying on various 3rd party audit tools many of which aren't reliable.

In doing so, here are some issues/challenges they could run into -
  1. In-house scripts are prone to human-error, need to be maintained and could be maliciously modified by someone.
  2. The use of PowerShell, and/or utilities like LDP requires a certain level of technical Active Directory expertise.
  3. Many 3rd party tools, whilst inexpensive, may or may not always be sufficiently trustworthy (e.g. built in Russia etc.)

In our experience, we found that what is ideally needed is a simple and reliable (tamper-proof) group membership audit tool that can help all IT personnel easily & trustworthily audit, analyze and document all their Active Directory group memberships.

So we built possibly the world's simplest Active Directory Group Membership tool that could help IT admins, analysts, auditors and other stakeholders easily and trustworthily fulfill their Active Directory group membership audit needs.

Gold Finger Active Directory Group Membership Audit/Reporting Tool

The Gold Finger Active Directory Group Membership Reporting Tool is quite simply the world's simplest and most trustworthy Active Directory Group Membership Audit Tool -

Active Directory Group Membership Audit/Reporting Tool

If you can touch a button, you can now easily and above all trustworthily fulfill all your Active Directory group membership audit and compliance reporting needs. All you have to do is touch a button; AD group memberships audits could not be simpler.

Capability Overview

Here's a quick overview of the tool's top 5 features/capabilities -
  1. Group and User Membership Enumeration – Enumerate the complete, flattened membership of any Active Directory security group as well as the complete list of all Active Directory security groups to which a user belongs.
  2. Circular Loop Detection and Infinite Loop Avoidance – Detect circularly-nested groups and avoid expansion infinite loops.
  3. Direct and Nested Enumeration – Enumerate direct members & nested members of any Active Directory security group.
  4. Source Nested Group Identification – Identify all nested groups via (membership in) which a user/group is a member.
  5. Dynamic Well-Known Security Principal Inclusion – Dynamically evaluate the membership of any well-known security principal, such as Authenticated Users, Domain Users, Domain Computers, Everyone etc.

Design Goals

Here are the 5 main design goals we set and met for Gold Finger -
  1. Trustworthiness - When it comes to security, Gold Finger sets the bar and gold standard for trustworthiness.
  2. Ease-of-use - It can be installed in 2 minutes on any machine* and requires no Active Directory knowledge to use.
  3. Instant Analysis - IT personnel can easily analyze group memberships, including group membership nesting etc. 
  4. User and Group based Audit - IT personnel can audit not just the membership of a specific domain security group but also the membership of a specific domain user or computer. 
  5. Data output - IT personnel can effortlessly export the raw data for archival, rich analysis etc.

Example Reports

Here are 10 real-world examples of the kinds of Active Directory group membership audits you can perform with Gold Finger -

  1. Audit the direct or complete (nested) membership of any domain security group such as Domain Admins.
  2. Generate an audit report documents all the groups to which a contractor's domain user account belongs.
  3. Generate PDF reports documenting the complete membership of all privileged access groups in Active Directory.
  4. Find out how the security group Temp Contractors is somehow a member of the All Employees security group.
  5. Find out how user John Doe is a member of the System Admins domain security group.
  6. Identify all security groups to which a Domain Admin's account belongs.
  7. Identify all security groups to which the CEO's domain user's account belongs.
  8. Identify all security groups nested within the All Employees domain security group.
  9. Enumerate the complete (direct and indirect) membership of the Domain Admins security group.
  10. Enumerate the direct membership of the Domain Admins security group.

Trusted Worldwide

Today, our simple Gold Finger Active Directory Group Membership Audit/Reporting Tool is used worldwide by the world's top organizations, including the U.S. Government and Fortune 10 companies, to easily and trustworthily fulfill their Active Directory security group membership audit and reporting needs.

Best wishes,

PS: This is about 0.1% of what we do, so this is as much as I'd like to say about it.

No comments:

Post a Comment